{"version":"1.0","provider_name":"Lassi's homepage","provider_url":"https:\/\/lassinsivut.eu\/en","title":"Linux palvelimen perusturvallisuus - Lassin kotisivut","type":"rich","width":600,"height":338,"html":"<blockquote class=\"wp-embedded-content\" data-secret=\"TJ9jRqa7pb\"><a href=\"https:\/\/lassinsivut.eu\/en\/palvelimen-perusturvallisuus\/\">Linux palvelimen perusturvallisuus<\/a><\/blockquote><iframe sandbox=\"allow-scripts\" security=\"restricted\" src=\"https:\/\/lassinsivut.eu\/en\/palvelimen-perusturvallisuus\/embed\/#?secret=TJ9jRqa7pb\" width=\"600\" height=\"338\" title=\"&#8220;Linux palvelimen perusturvallisuus&#8221; &#8212; Lassin kotisivut\" data-secret=\"TJ9jRqa7pb\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\" class=\"wp-embedded-content\"><\/iframe><script>\n\/*! This file is auto-generated *\/\n!function(d,l){\"use strict\";l.querySelector&&d.addEventListener&&\"undefined\"!=typeof URL&&(d.wp=d.wp||{},d.wp.receiveEmbedMessage||(d.wp.receiveEmbedMessage=function(e){var t=e.data;if((t||t.secret||t.message||t.value)&&!\/[^a-zA-Z0-9]\/.test(t.secret)){for(var s,r,n,a=l.querySelectorAll('iframe[data-secret=\"'+t.secret+'\"]'),o=l.querySelectorAll('blockquote[data-secret=\"'+t.secret+'\"]'),c=new RegExp(\"^https?:$\",\"i\"),i=0;i<o.length;i++)o[i].style.display=\"none\";for(i=0;i<a.length;i++)s=a[i],e.source===s.contentWindow&&(s.removeAttribute(\"style\"),\"height\"===t.message?(1e3<(r=parseInt(t.value,10))?r=1e3:~~r<200&&(r=200),s.height=r):\"link\"===t.message&&(r=new URL(s.getAttribute(\"src\")),n=new URL(t.value),c.test(n.protocol))&&n.host===r.host&&l.activeElement===s&&(d.top.location.href=t.value))}},d.addEventListener(\"message\",d.wp.receiveEmbedMessage,!1),l.addEventListener(\"DOMContentLoaded\",function(){for(var e,t,s=l.querySelectorAll(\"iframe.wp-embedded-content\"),r=0;r<s.length;r++)(t=(e=s[r]).getAttribute(\"data-secret\"))||(t=Math.random().toString(36).substring(2,12),e.src+=\"#?secret=\"+t,e.setAttribute(\"data-secret\",t)),e.contentWindow.postMessage({message:\"ready\",secret:t},\"*\")},!1)))}(window,document);\n\/\/# sourceURL=https:\/\/lassinsivut.eu\/wp-includes\/js\/wp-embed.min.js\n<\/script>","thumbnail_url":"https:\/\/lassinsivut.eu\/wp-content\/uploads\/2023\/03\/Linuxsecurity.jpg","thumbnail_width":1280,"thumbnail_height":720,"description":"Linux palvelimen perusturvallisuuden takaaminen LOGIEN TARKISTUS #tarkistetaan kirjautumisyritykset palvelimelle reaaliaikaisesti tail -f \/var\/log\/auth.log #LOGIEN V\u00c4RITYS apt install grc grc tail -f \/var\/log\/auth.log (multitail my\u00f6s useammalle logille kerralla) FAIL2BAN apt-get update apt-get install fail2ban systemctl status fail2ban nano \/etc\/fail2ban\/jail.conf #ignoraa lokaalin koneen ignoreip = 127.0.0.1\/8 #m\u00e4\u00e4ritell\u00e4\u00e4n bannin kesto bantime = 600 #m\u00e4\u00e4ritell\u00e4\u00e4n monta yrityst\u00e4 kirjautumisessa on maxretry = 3 #t\u00e4m\u00e4 l\u00e4hett\u00e4\u00e4 postia root k\u00e4ytt\u00e4j\u00e4lle ett\u00e4 joku on bannattu destemail = root@localhost sendername = Fail2Ban banned user! mta = sendmail action = %(action_mwl)s #t\u00e4ll\u00e4 saadaan postiin logitedot k\u00e4tev\u00e4sti action_mw #t\u00e4ll\u00e4 kuitenkin saa eniten action_mwl #t\u00e4ll\u00e4 komennolla pys\u00e4ytet\u00e4\u00e4n fail2ban systemctl fail2ban stop #t\u00e4ll\u00e4 aloitetaan systemctl fail2ban start #t\u00e4ll\u00e4 tarkistetaan nykyinen tilanne systemctl status fail2ban # tarkistetaan jaili sek\u00e4 estetyt ipt sek\u00e4 niiden m\u00e4\u00e4r\u00e4 fail2ban-client status sshd UFW PALOMUURI apt install ufw systemctl enable ufw systemctl start ufw systemctl status ufw #avataan palomuuriin portti ufw allow &#8221;portti&#8221; #avataan portti 80 ufw allow 80 OPENSSH #Asennetaan ssh apt install openssh-server #Otetaan ssh k\u00e4ytt\u00f6\u00f6n samalla my\u00f6s koneen startuppiin systemctl enable ssh #Tarkistetaan nykyinen tilanne ssh systemctl status sshd #Pys\u00e4ytet\u00e4\u00e4n ssh systemctl stop sshd nano \/etc\/ssh\/sshd_config #vaihdetaan oletus portti toiseen #Port22 port222 #Kiellet\u00e4\u00e4n roottina kirjautuminen #PermitRootLogin PermitRootLogin no #Annetaan lassi k\u00e4ytt\u00e4j\u00e4lle lupa kirjautua AllowUsers lassi #k\u00e4ynnistet\u00e4\u00e4n ssh uudestaan systemctl restart sshd netstat -tulpn netstat -tulpn | grep 22 ufw allow ssh ufw allow 22 SSH PARANTELU #Asenntaan moduulit ja sovellukset jotka yhdist\u00e4v\u00e4t hy\u00f6kk\u00e4\u00e4j\u00e4n ip-osoitteen maahan apt-get install geoip-bin geoip-database #Luodaan scripti joka hallitsee p\u00e4\u00e4syn nano \/usr\/local\/bin\/ipfilter.sh #!\/bin\/bash ALLOW_COUNTRIES=&#8221;IN US&#8221; LOGDENY_FACILITY=&#8221;authpriv.notice&#8221; if [ $# -ne 1 ]; then echo &#8221;Usage: `basename $0` &#8221; 1&gt;&amp;2 exit 0 # return true in case of config issue fi if [[ &#8221;`echo $1 | grep &#8217;:&#8217;`&#8221; != &#8221;&#8221; ]] ; then COUNTRY=`\/usr\/bin\/geoiplookup6 &#8221;$1&#8221; | awk -F &#8221;: &#8221; &#8217;{ print $2 }&#8217; | awk -F &#8221;,&#8221; &#8217;{ print $1 }&#8217; | head -n 1` else COUNTRY=`\/usr\/bin\/geoiplookup &#8221;$1&#8221; | awk -F &#8221;: &#8221; &#8217;{ print $2 }&#8217; | awk -F &#8221;,&#8221; &#8217;{ print $1 }&#8217; | head -n 1` fi [[ $COUNTRY = &#8221;IP Address not found&#8221; || $ALLOW_COUNTRIES =~ $COUNTRY ]] &amp;&amp; RESPONSE=&#8221;ALLOW&#8221; || RESPONSE=&#8221;DENY&#8221; if [[ &#8221;$RESPONSE&#8221; == &#8221;ALLOW&#8221; ]] ; then logger -p $LOGDENY_FACILITY &#8221;$RESPONSE sshd connection from $1 ($COUNTRY)&#8221; exit 0 else logger -p $LOGDENY_FACILITY &#8221;$RESPONSE sshd connection from $1 ($COUNTRY)&#8221; exit 1 fi #T\u00e4m\u00e4 muutos pit\u00e4\u00e4 tehd\u00e4 jos halutaan ett\u00e4 scripti juoksee! chmod +x \/usr\/local\/bin\/ipfilter.sh #Lis\u00e4t\u00e4\u00e4n ssh listalle omat muutokset jotta j\u00e4rjestelm\u00e4\u00e4 ohjaa tuo uusi scripti ja muut asennetut ohjelmat. nano \/etc\/hosts.deny sshd: ALL vsftpd: ALL #M\u00e4\u00e4ritell\u00e4\u00e4n viel\u00e4 mist\u00e4 scripti l\u00f6ytyy. nano \/etc\/hosts.allow sshd: ALL: spawn \/usr\/local\/bin\/ipfilter.sh %a vsftp: ALL: spawn \/usr\/local\/bin\/ipfilter.sh %a"}